Comparing the Security of Low-Power Wide-Area Network Technologies

I was recently asked by the GSMA to undertake an independent study looking at the security of various LPWA (Low-Power Wide-Area) network technologies. I took on the project because I find it a very interesting topic; these types of network are targeted at IoT (Internet-of-Things) devices, an area I have been working on over the last couple of years with IoTUK and the IoT Security Foundation. One of the main challenges of the IoT space is in making trade-offs to accommodate low-power and low-cost devices, and security is one of the things that might be traded off.

You can download the 20-page report here.
The obvious question you might expect to be answered is “Which one’s the best?” but I’m afraid the answer is a resounding “It depends” 🙂. The different technologies we looked at have varying security features, but it’s not the case that one is always better than another; two technologies might each have a security feature that the other lacks, or you might not need some of the security features and make your choice based on other factors like coverage, power consumption or cost.

The part of the study that I found most interesting was determining the list of different network security features that you might or might not care about, and thinking about how to assess particular use cases to decide whether or not each feature was needed. I didn’t include the detailed working through of that in the report, as considering 5 use cases, 5 network technologies, and 20 different security features (some of them optional) for each pair of use case and technology, makes for a pretty big spreadsheet! I will be talking more about my method at the Mobile 360 Privacy & Security event in The Hague later this month, as I hope it will be useful to others considering the security aspects of deploying of IoT devices on a low power network.

Of course you must have conclusions in a report such as this, and so we have a coloured-in table summarising the suitability of each technology for each use case, but I must emphasise it’s not as simple as that. It very much depends on YOUR particular use case – even if it’s one of the ones listed here, I may have made assumptions that don’t apply to your situation (for example whether it’s feasible to physically access devices to update them, or whether devices are being used in a safety-critical context). That said, the table is reproduced here if you want to “skip to the end”:

LTE-M

NB-IoT

EC-GSM-IoT

LoRaWAN

Sigfox

Smart Pallet

Good

Good *

Adequate

Good

Poor

Smart Agriculture

Good

Good

Good

Adequate

Adequate

Smart Street Lighting

Adequate

Good *

Adequate

Adequate *

Adequate

Water Metering

Adequate *

Good *

Adequate *

Adequate

Poor

Domestic Smoke Detectors

Good

Good

Good

Adequate

Adequate

The final point to note here is that the asterisks (*) in the table above indicate assumptions that certain optional features of that technology have been enabled by the network operator; this may or may not be the case for YOUR network operator, so I’m afraid there’s no short-cut to doing your own assessment of the security needs of your use case, and discovering the security features offered by your network operator. If there’s just one thing to take away from this, I would say it’s that network security is “horses for courses” and you need to assess your own specific security needs before locking yourself in to a particular technology choice.

Feedback in the comments below is welcomed, and we will do our best to respond. As a next step, I intend to take the matrix of technologies and security features and put a version of it up on our wiki; it would be great to extend it with information on some of the other technologies we haven’t been able to cover in this report, such as RPMA and Weightless.